I’ve been asked several times for the ability to use Azure Sentinel to keep track of who is executing Azure Cloud Shell. So, I finally put together a quick Analytics Rule that will identify when Cloud Shell is run and report on the user and IP address used. It definitely still needs to be tuned somewhat, but works, as is.
The IP Address captured relates directly to the Azure datacenter/region Cloud Shell is run from, but it’s still useful to know in some cases. The user is the important piece.
//KQL for Analytics Rule to track Cloud Shell Execution
AzureActivity
| where ResourceGroup startswith "CLOUD-SHELL"
| where ActivityStatusValue == "Started"
| extend action_ = tostring(parse_json(Authorization).action)
| summarize count() by ResourceGroup , Caller , CallerIpAddress , ActivityStatusValue , ActivitySubstatusValue, CategoryValue , action_
| extend AccountCustomEntity = Caller
| extend IPCustomEntity = CallerIpAddressGrab the most current version from GitHub: https://github.com/rod-trent/SentinelKQL/blob/master/AR-CloudShellExecution.txt
If you decide to use it as an Analytics Rule, I recommend grouping the alerts in the following manner:
For scheduling, I run the Rule every day, looking through the last day’s worth of logs.
I also recommend that if you want to use this for simple reporting it would actually be better to integrate it into a Workbook visual.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
